Federal Decree Law No. 45/2021 on the Protection of Personal Data (the "UAE Personal Data Protection Law") will revolutionize the way that data is regulated in the UAE.
How did we get here?
Up until now, onshore UAE has not had a standalone sector-wide data protection law. Whilst the UAE's two financial free zones, the Dubai International Financial Centre ("DIFC") and Abu Dhabi Global Market ("ADGM"), have had in place self-standing sector-wide data laws that are largely inspired by the EU's General Data Protection Regulation (the "GDPR"), which has been in force since May 2018, onshore UAE data regulation ultimately comprised a patchwork of limited provisions drawn from the UAE's Penal Code, Constitution and Cyber Crime Law. Certain sectors such as financial services were (and remain) subject to separate and generally more demanding requirements in specialist legislation, which includes the Central Bank Law, the Outsourcing Regulation for Banks, the Retail Payment Services and Card Scheme Regulation and the Stored Value Facilities Regulation. Whilst the same is true of the UAE's healthcare sector, for example, there was clearly a pressing need for more granular sector-wider data legislation.
This, coupled with the strategic focus on data and technology in the UAE (as well as in neighboring Saudi Arabia), the movement of privacy and cybersecurity concerns up the international agenda as well as the impact that the GDPR in particular has had on global business and data flows, means that it comes as no surprise that these changes are being made. Indeed, they are best seen as part of a broader trend across the region. DIFC and ADGM, for example, both updated their own data protection laws in 2020 and Q1 2021 respectively. Saudi Arabia also issued its first self-standing personal data protection law on 24 September 2021.
Who does the UAE Personal Data Protection Law apply to?
The UAE Personal Data Protection Law applies to:
- an individual who resides or has a place of business in the UAE;
- any business in the UAE which processes the Personal Data of individuals, whether those individuals are located inside or outside the UAE; and
- any business located outside the UAE that processes the Personal Data of individuals who are located inside the UAE.
This means the UAE Personal Data Protection Law has extra-territorial effect, applying to businesses that do not have a presence in the UAE but which process the Personal Data of individuals who reside in the UAE.
The UAE Personal Data Protection Law does not apply to:
- government data (the precise contours of government data are unclear);
- government authorities;
- Personal Data held by security or judicial authorities;
- individuals who process their data for personal purposes;
- health personal data that is subject to separate legislation;
- banking and credit personal data that is subject to separate legislation; and
- businesses incorporated in the DIFC or ADGM (who are required to comply with data laws governing those financial free zones).
What similarities exist between the UAE Personal Data Protection Law and the GDPR?
Key definitional concepts
The following defined terms, which are broadly in line with those used in the GDPR and the data protection laws in the DIFC and ADGM, are now incorporated into UAE law:
Any data relating to: (a) an identified natural person or (b) a natural person who can be identified directly or indirectly by way of linking data, using identifiers such as name, voice, picture, ID number, online identifier, geographic location or special features that express the physical, psychological, economic, cultural or social identity of that person. It includes Sensitive Data and Biometric Data.
"Sensitive Personal Data"
Any data that directly or indirectly reveals a natural person's family, racial origin, political, or philosophical opinions, religious beliefs, criminal records, biometric data, or any data related to the health of such person, such as his / her physical, psychological, mental, genetic or sexual condition, including information related to health care services that reveals his or her health status.
A person who specifies the method, criteria and purpose of processing Personal Data.
A person who processes Personal Data on behalf of the Controller, as directed and instructed by the Controller.
Any operation or set of operations performed on Personal Data. This includes, amongst other things, collecting, storing, organizing, modifying, sharing, disclosing or destroying Personal Data.
The consent given by an individual to authorize third parties to process his / her Personal Data, which must be specific, informed, unambiguous and clear. It can be given in writing or electronically.
Key principles and requirements
Numerous overarching principles and requirements that are recognized in the GDPR are now incorporated into UAE law:
Fairness, transparency and lawfulness
Personal Data must be processed in a fair, transparent and lawful manner.
Personal Data must be collected for a specific and clear purpose and is not to be processed in a manner incompatible with such purpose.
Personal Data collected / processed by a business must be limited to what is needed for the purpose for which it was collected.
Personal Data must be accurate and correct and updated whenever necessary. Businesses must put in place appropriate measures and procedures to ensure the erasure or correction of incorrect Personal Data.
Security and confidentiality
Personal Data must be kept secure and protected by appropriate technical and organizational measures and procedures.
Personal Data may not be kept after fulfilling the purpose of processing unless the identity of the individual is anonymized.
What differences exist between the UAE Personal Data Protection Law and GDPR?
Absence of legitimate interest justification
Unlike the GDPR, the UAE Personal Data Protection Law does not contain a legitimate interest justification for the processing of Personal Data. Rather, there is an expectation that the consent of an individual will be obtained unless an exception applies, with such exceptions including that the processing is necessary to:
- protect the public interest;
- defend a legal claim;
- protect the interests of the individual in question;
- perform a contract; or
- fulfil obligations under UAE law.
Stricter breach notification requirements
Whilst it appears the position is to be clarified in the Executive Regulations (expected to be released at the end of Q1 2022), as it stands the UAE Personal Data Protection Law requires businesses to notify the UAE Data Office of Personal Data breaches "immediately upon becoming aware" of them. This more strongly resembles the stricter position recently adopted in Saudi Arabia (where the requirement is that such breaches are to be notified by the business to the data regulator, SDAIA, "as soon as it becomes aware" of the breach and to the affected individual "immediately"), rather than the position in the EU where under the GDPR the breach is to be notified to the relevant supervisory authority "without undue delay", and ultimately within 72 hours of having become aware of it.
How does the UAE Personal Data Protection Law change the regulation of data in onshore UAE?
Arrangements to secure individuals' rights
Businesses need to ensure they have appropriate policies, procedures and measures in place to secure various rights that the UAE Personal Data Protection Law grants to individuals, such rights being broadly in line with the GDPR and the data protection laws in the DIFC and ADGM, and which include:
Right to obtain information
Individuals have the right to be told about what aspects of - and how - their Personal Data is being processed. Whilst there is no express requirement for businesses to use privacy notices, their use could assist in securing compliance with this requirement amongst others.
Right to access
Individuals have the right to obtain access to their Personal Data.
Right to request Personal Data transfer
Individuals have the right to request that their Personal Data is moved from one business to another (e.g. if they decide to change service provider).
Right to correction or erasure
Individuals have the right to require inaccurate information about themselves to be corrected and have the right to have their Personal Data erased if it is no longer required for the purpose for which it was collected.
Right to restrict or stop processing
Individuals may require businesses to restrict or stop processing their Personal Data in certain circumstances.
Right to file a complaint
Individuals have the right to file a complaint with the UAE Data Office.
Right to withdraw consent
At any time individuals can withdraw consent they have given a business to process their Personal Data.
Businesses need to put in place appropriate technical and organizational measures to protect Personal Data.
Businesses need to notify the new UAE Data Office and individuals who are affected if a Personal Data breach occurs that may prejudice the privacy, confidentiality and security of Personal Data. The notification needs to include, amongst other things, details of the nature of the breach, what caused it, the number of records involved, the expected effects and corrective measures taken.
Data protection officers
Businesses now need to appoint a data protection officer (who is not required to reside in the UAE) if they engage in Personal Data processing which:
- is likely to involve a high level of risk to the confidentiality and privacy of the Personal Data of the individual due to the use of new technologies or as a result of the amount of data involved;
- will involve a systematic and comprehensive assessment of Sensitive Personal Data; or
- will be undertaken on a large amount of Sensitive Personal Data.
Special record of Personal Data
Businesses must maintain a special record of Personal Data that is required to include information about the data the business holds, who can access the data, processing arrangements, cross-border data transfers and security measures and such like. The UAE Data Office has the right to request access to this record. The requirements appear to go slightly beyond the GDPR but are not overly onerous.
Data protection impact assessment ("DPIAs")
Businesses are required to assess and explain the impact of Personal Data processing and its purpose, necessity, risks and the safeguards that will be applied if the processing:
- would be likely to have a significant impact on an individual; or
- involves the processing of large amounts of Sensitive Personal Data.
How do data transfers outside the UAE work?
The rules in the UAE are more liberal than the positon recently adopted by Saudi Arabia and are closer to the position in the GDPR and the data protection laws of the DIFC and ADGM.
Personal Data may be transferred outside the UAE if:
- Adequate data laws are in place: The country to which the Personal Data is to be transferred has adequate data protection laws in place; or
- Adequate data laws are not in place, but:
- Necessary contractual protections are in place – The Personal Data is transferred pursuant to a contract which requires the party receiving the Personal Data to comply with the UAE Personal Data Protection Law;
- Consent is obtained – The express consent of the individual to transfer his / her Personal Data is obtained; or
- Judicial authorities are involved – The transfer of Personal Data is necessary to fulfil obligations or exercise rights before judicial authorities or to perform a procedure relating to international judicial co-operation;
- It is necessary to perform or enter into a contract – The transfer of Personal Data is necessary to enter into or perform a contract between: (a) a business and individual or (b) a business and a third party to achieve an individual's interest; or
- It is necessary to protect the public interest – The transfer of Personal Data is necessary to protect the public interest.
It is unclear how "adequacy" will be determined, although we imagine that a "white list" of jurisdictions meeting the requirements might be issued by the UAE Data Office in due course.
The UAE Personal Data Protection Law further indicates that the Executive Regulations will set out details of the controls that will need to be put in place where Personal Data is being transferred outside the UAE in circumstances where adequate data protection laws are not in place.
What are the consequences of breaching the UAE Personal Data Protection Law?
The penalties for breaching the UAE Personal Data Protection Law are presently unclear, but our expectation is that fines will apply, with applicable amounts largely resting on the seriousness of the breach, the number of individuals affected and the conduct of the business in question. The Executive Regulations are expected to clarify the position.
What should you do next?
- The UAE Personal Data Protection Law will take effect on 2 January 2022.
- Businesses have until six months after the Executive Regulations come out to align themselves with the requirements.
- The expectation is that the Executive Regulations will be released in March 2022, meaning that businesses will have until around September 2022 to ensure they are compliant.
- By the start of summer 2022 businesses should therefore:
- Undertake an audit – To assess any compliance gaps with existing Personal Data processing arrangements as compared to the requirements of the UAE Personal Data Protection Law; ascertain the suitability of existing policies, procedures and measures as compared to the requirements of the UAE Personal Data Protection Law; map out existing data flows; check for the existence of valid consents to data processing; and ensure provisions in existing contractual arrangements comply with the requirements of the UAE Data Protection Law.
- Update data protection policies – These should now be updated to reflect the new requirements of the UAE Data Protection Law (or put in place if you do not already have them).
- Prepare special record of Personal Data – Start building your special record of Personal Data and ensure it contains the details specified above.
- Prepare Data breach / cyber incident response plan – If you do not already have plans in place to address data breaches and cyber incidents, these should now be put in place and road-tested.
- Check consent language – Consider the language you are using to obtain consent from individuals with respect to the processing of their Personal Data. Is the consent given specific, informed, unambiguous and clear?
- Consider privacy notices – You may consider it appropriate to introduce privacy notices if you are not already using them in order to ensure compliance with the new requirements of the UAE Personal Data Protection Law.
- Put in place systems for handling requests from individuals – Consider how you will manage requests for information from individuals to access information and enforce their rights under the UAE Personal Data Protection Law.
- Consider data privacy impact assessments – Consider whether DPIAs are needed for existing or proposed data processing, projects (such as outsourcing, cloud migrations and large-scale corporate re-organizations) or financial product launches.
- Hold training – Employees should be required to participate in training which covers the high-level, practical requirements of the UAE Data Protection Law and best practices with respect to data handling.
Who should you contact for further help or guidance?
Please contact Stefan Mrozinski, our MENA data specialist, if you would like to discuss how the UAE Personal Data Protection Law applies to your business or how to progress the steps you should now be taking to ensure compliance. Stefan and our wider team are also available to discuss data protection requirements in the UAE for financial services and healthcare businesses, the data rules that apply in the UAE's financial free zones as well as the latest data protection developments in Saudi Arabia.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2021 White & Case LLP